Lulz? Sony hackers deny responsibility for misuse of leaked data

Personal data obtained by LulzSec by means of a SQL injection attack is …

Hackers from Lulz Security ("LulzSec") broke into Sony Pictures servers, grabbed one million user accounts and plaintext passwords, then released a large sample of this data online yesterday. The data set seen by Ars Technica included names, home addresses, passwords, and e-mail addresses—perfect for malicious exploitation, since many people reuse passwords on multiple accounts. To make matters worse, the sample that LulzSec released contained data almost exclusively on (allegedly) elderly users born in the 1920s, '30s, and '40s.

According to LulzSec, hacks using the data have already begun—but don't blame them! Releasing all these e-mail addresses and passwords was Sony's fault.

"I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere," the group wrote this morning on its Twitter account. "Hey innocent people whose data we leaked: blame @Sony."

At least some of the leaked data does appear to be accurate. We cross-checked multiple addresses in the data release with US government property records and phone records; they match the listed surnames and phone numbers, and the leaked e-mail address in turn tend to mirror the names (often including sections of the name in question, for instance). The Associated Press called around and also confirmed the accuracy of some of the leaked data. But other entries in the database are quite clearly bogus—perhaps reflecting Sony contest entrants who didn't want to provide too much personal detail or were under the legal age to enter.

Mr. Lulz

This angered some people, like Twitter user H0lyPuma. "Alright @LulzSec there was no reason to publish the user accounts. hack all you want, but why punish the user? what did they do wrong?" he asked. "There is no way to justify distributing user accounts. This could fuck these people up for a long time."

Not that LulzSec cares. Its mascot wears a monocle and hoists a glass of wine in a rakish manner; its Twitter feed tells people, "You sir are sorely deluded if you think we're whitehat" and describes the group as "a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials."

In the group's IRC chatroom, the same lulz-loving, responsibility-free attitude prevails. When reporter Nick Deleon showed up to request an interview this morning, he got this:

[Reporter]: hi folks. so this is going to sound silly, but i'm
a reporter (the daily, the new ipad newspaper-thing) in new york
and i'm wondering if anyone here would like to talk about
the sony situation
[LulzSec member]: sure. in which hole of yours would you
prefer i stick my penis?
[Reporter]: if i have a choice in the matter, no hole would be preferable

The group even has a jolly pirate song, familiar to those who grew up watching Loveboat.

Lulz, exciting and new,
come aboard, we're expecting you.
Lulz, life's sweetest reward,
let it flow, it floats back to you.
The Lulz Boat soon will be making another run
The Lulz Boat promises something for everyone.
Set a course for adventure,
your mind on a new romance.
Lulz won't hurt anymore,
it's an open smile on a friendly shore.
Yes LULZ! Welcome aboard: it's LULZ!

And so the Lulz Boat sails on. In its chat room, group members probe various government websites looking for common security flaws (the Sony Pictures hack used a basic SQL injection), joke about being Aaron Barr, and compare notes on obfuscating IP addresses. Apart from Twitter, however, the group has far less interest in chatting with reporters.

At this point they are just looking to embarrass Sony more. I'd call it childish, but so is Sony's security. In the end, its like two morons staring each other down, one the lawful idiot one the unlawful idiot. The best we can hope for is this lights a fire under some corporate IT security dept's asses. Congratulations Sony and lulz, you have both won the derp contest.

I already commented on this same story on Slashdot and I'll repeat the same here: what these morons are doing is malicious, ignorant, irresponsible and stupid. There is no reason to harass completely innocent people, ie. the users of the site. There is no reason to expect them to be computer-savvy or to understand what is even going so just saying "they should know better!" doesn't serve as an excuse!

Besides, it doesn't hurt the company in the least. They'll just point finger at hackers and play the sympathy card. And thus this group has managed to only get even more sympathy for the company from the general populace while also stirring ever increasing wish for control from governments. Is that really what they want? How does that help anyone, including themselves?

If the door to your local council which holds all your personal data is left wide open and thieves walk in and take all the files of everyone there do you blame the thieves or the council for being incompetent?

It's all 'lulz' and cake making fun of the group but don't ignore an actual issue by focusing on what they did and completely ignoring why it was possible in the first place. Disappointed, I am.

Lulz Security not talking responsibility for elderly people being hurt by this exploit is a common lack of awareness from several hacker groups that their actions can hurt customers.

And the idea that a vulnerability of security gives someone the right to steal private information and then give the public access to it is nonsense imo.

Lot's of people are casual with security. People can hand their credit cards over in restaurants where the cc # (including the security code in the back) can easily be copied. Does that give the restaurant staff the right to openly publish credit card numbers on the web? I don't think so.

I can think of other examples where people give car keys for valet parking (which would allow time for hotel staff to make a quick copy). Does that give the hotel staff the right to hand out car keys to anyone who wants them?

* What is happening here is simple imo. Some hackers believe they have the right do whatever they want in stealing personal information no matter who it hurts. I can never agree with that POV.

If the door to your local council which holds all your personal data is left wide open and thieves walk in and take all the files of everyone there do you blame the thieves or the council for being incompetent?

They already proved sony security is bad, no need to harm the inocents

This is precisely why I don't see these hacker groups as a good thing. If I have to pick between greedy corporations trying to subvert the government and these hacker groups lulzing about stopping them, I'll take the greedy corporations. At least they're up front about being in it for the money, and I can respect a capitalist position. The "I'm a douchebag" position is not one I can respect.

And what is this "worthless moneygrubbing" stuff--the post says almost nothing about Sony? It's focused on the hackers.

Here's the thing: I like and respect Ars, and since you were covering the PSN outage so closely, I assumed I could rely on you to let us know when it was back up. Yes, even if it was just a one-line post. I've seen those before. Sure, three days ago you posted that Sony promised it would be up this week. Is a followup to say that it was indeed back up really expecting that much of you?

And the Welcome Back packages coming online today. Is that not newsworthy? Every other site that covers gaming has run the story.

I believe in journalistic integrity, and I believe that it's something anyone calling themselves a journalist strives for and takes pride in. I really want to give you the benefit of the doubt. Hell, I've been laughing off cries of bias in the gaming press since the days when I got my info from dailyradar.com.

But it does start to look funny when a site that supposedly covers gaming news fails to cover what is arguably the biggest story on two consecutive days, but then runs a "Crackers Act Childish Toward a Reporter" story, which is esentially content-free, but does manage to keep the negative alive for another cycle.

I'm not saying you're doing this intentionally, but if you want to maintain the reputation of journalistic integrity, you should consider the perception that you may be creating.

And as far as my "money-grubbing ball sweat" comment, this is commentary on some other Ars commentors, not on the Ars staff. I apologize if my lack of skill with the written word caused it to be miscontrued.

Ars Technica keeps referring to these groups as activists and hacktivists.

I appreciate how they're praising thieves victimizing the end users.

"One man's terrorist is another mans freedom fighter." No matter the issue there are always two sides to a story. Don't be so quick to judge because i'm pretty sure since you are human that some people you admire others would be abhorrent towards.

And no doubt world authorities and other charities will educate the public that when a email address is requested best to use a fake or borrowed one- so when 'stolen' damage is minimal.

But more importantly, that when registering with email, it is NOT required that the password be the same as your email account. Most people new on online broadcasts(noobs) percieve it to be a requirement and fear doing otherwise threatens their EULA.

Is it plugged in?

ANd by the by- Ball sweat alone conveyed your intent, making of it week long, insult to injury. Drowning was certainly excessive.

If the door to your local council which holds all your personal data is left wide open and thieves walk in and take all the files of everyone there do you blame the thieves or the council for being incompetent?

All personal information is not guarded by someone with a gun. For instance there is personal information delivered to people's mailboxes around the world almost every day. That doesn't give someone the right to follow the mail delivery person around and take people's mail out of their mail boxes.

A society cannot function properly if everyone is a thief. Otherwise it falls apart.

As "chivalrous" as Anonymous "is", I can't imagine that they're liking the kind of bad light that LulzSec is bound to get Anon portrayed in, just by association. Much like a violent terrorist extremist group can easily make even peaceful protestors appear in a suspicious light(read: Egypt, etc.)

Not that I'm comparing Anonymous to a group of peaceful protestors, but it's just to illustrate the point.

If the door to your local council which holds all your personal data is left wide open and thieves walk in and take all the files of everyone there do you blame the thieves or the council for being incompetent?

Ugh. Regardless of the fact that Sony practices laughably bad data security, the responsibility for the publication of this data and all the harm it causes should fall squarely on the shoulders of these very lulzy hackers. I'm sure they're fine with that because it doesn't seem that they have very highly evolved consciences, and seem to be motivated only by a sense of righteous mischief. But this is simply a criminal act. Should the people responsible be found, I hope they receive a strong punishment. This stuff is not funny or productive in any way. It is not heroic or important work, it is simply vandalism. Pointing out that people need to be more careful with the information and passwords they use for online activity is an important thing, but this is not the way to go about it. Lack of proper security does not excuse data theft, and certainly does not excuse a publication of this sort. If the community bank down the street doesn't have the best security in the world, and I manage to find a way in there after hours and take all the money, that doesn't let me off the hook. Anybody celebrating this act because someone is once again "sticking it to Sony" needs to grow the hell up.

Well, to be fair, SQL injection attacks are among the easiest one could pull off. Even an 8 year old with half its brain missing wouldn't have too much trouble with the concept. It is ridiculous that a public-facing website would have such a glitch in it. Ever heard of input validating? Never trust any data from the outside world. In a proper system you wouldn't even trust data coming from other parts of the system. Sony apparently didn't bother hiring real programmers let alone perform a security audit on the code before putting it on the production server. This result is more than predictable.

Given the origins of lulzsec (crude degenerates of the internet) the response to the reporter being from "the daily, the new ipad newspaper-thing" it was a pretty tame response, good for him to at least roll with it.

Maybe they should spend a bit less time hacking, and a bit more time taking some critical thinking ,logic, and ethics courses. Saying blame Sony, not us, is kind of like taking the bolts out of a railroad bridge and then saying to blame the train-line for the crash and deaths.

Grow up kiddies! Ideas and actions have consequences... and responsibilities.